Introduction

Why should you move away from User Key-based encryption?

While it is a bit more secure than a central encryption approach, User key-based encryption has some disadvantages.
It blocks some additional functions such as the integration of an online editor like LibreOffice or OnlyOffice into
ownCloud and can cause problems when sharing files with groups.
See Limitations of User-Key Based Encryption for more details.
Therefore Master-key-based encryption is now the recommended setup for all new installations.

User key-based encryption is planned to be removed from ownCloud in the near future.
As an existing customer, you will be able to continue to use this solution as long as ownCloud 10.x is supported.

Pre-Conditions

The decryption workflow described here will only work with the following pre-conditions:

The admin recovery key password is activated and available to the ownCloud administrator

Users have opted-in to enable the admin recovery key password

The recovery key password has been supplied by the admin on the users page

The decryption of the files by the ownCloud administrator requires the current passwords of all users!
This only works when users have enabled password recovery and if an admin recovery password is available.

Remove the Encryption Records from the ownCloud Database

Once your ownCloud files are unencrypted, and encryption has been disabled, you need to remove
the encryption records from the database. There is, currently, no occ command to handle this,
so it has to be done manually. Specifically, you need to remove all records from the oc_appconfig
table where the appid column is set to encryption.

In the examples below, you can see how to do this using MySQL.
If you are not using MySQL, please use the commands specific to your database vendor.

SELECT * FROM `oc_appconfig` WHERE `appid` LIKE 'encryption'

Remove the files_encryption Directory

With the database updated, next, the files_encryption directory needs to be removed.
Below is an example of how to do so, to save you time.

Verify the Encrypted Files

With the files encrypted using Master Key-based encryption, you should now verify that everything worked properly.
To do so, run a SELECT query in your database which returns all files from the oc_appconfig table where
the appid column is set to encryption. You should see a number of records, as in the output of the example below.